Chapter 6. If You Do Not Have Physical Security, You Do Not Have SecurityThroughout this book we repeat ideas such as "defense in depth" and "layered security." We hope you haven't grown tired of that, because we'll continue to use this framework in upcoming chapters. It's useful for so many thingsorganizing thoughts, structuring security plans and controls, and guiding deployment. Indeed, although it might seem that your authors have taken controversial positions on many topics (based on our combined years of actually working with customers to help them get and stay secure), this is one security "best practice" with which we wholeheartedly agree: physical security is the absolute critical foundation upon which all else must rest. For without sound physical security, you have no security at all. It's time now to make reference to the OSI seven-layer model. All good information security and computer networking texts explain the model and use it for organizing discussion. In the real world, however, the model (remember, "a model" is "a cheap imitation ") has two serious limitations: no actual network stack looks like the model, [1] and the model lacks any mention of a true physical facilities layer.
A better conceptual view of a network stack must include a layer zero, variously called the facility layer or meatspace : Figure 6-1. The eight-layer model with meatspace.
Of course, a proper model must include the people, too; people add a whole set of layers that deserves enumeration and consideration. Thus a complete model that includes the facility, the network, and the people would be: Figure 6-2. The 12-layer model with people, management, politics, and religion.
In the preceding chapter, we addressed how to secure people, the top of our more complete stack. In this chapter, we explore the other end, the bottom, and help you understand the absolute importance of physical security and how to improve what you might be doing now. |